ISO 9001:2015 Risk-based Thinking
ISO 9001 was revised in September of 2015. Included in the Quality Management System (QMS)
requirements is an element called
. Risk-based thinking is required for certification under ISO 9001:2015. Risk-based thinking and improvement have replaced the preventive
section of the ISO 9001:2008 standard.
Organizations must plan and implement
actions to address risks and
opportunities and those actions must be
proportionate to the potential impact of the risk or opportunity.
Risk is defined as "the positive or
negative effect of uncertainty". In the
ISO 9001:2015 standard, organizations are required
to consider both negative and positive
risks and the treatment of both. The organization will
surely want to reduce its exposure to a negative risk or exploit the positive risk. While many
organizations produce massive amounts of information and data, that information and data must be meaningful
for the organization to take appropriate actions. Information and data influences uncertainty and the lack of 'meaningful
information' poses a significant risk for any organization.
We begin our discussion of risk-based
thinking with one of the Quality
Management principles covered in the
introduction video; the Process Approach
. The process approach is defined as the
"process and system-level view of linkages, interfaces, and process interactions". It applies the PDCA cycle with an overall focus on risk-based thinking.
PDCA (Plan, Do, Check, Act) is applied to all processes and
the Quality Management System as a whole.
Using the Plan, Do, Check, and Act cycle, we
are able to consider opportunities, as
well as risks, since the PDCA cycle is
iterative. The risks and opportunities
will change dynamically based upon
influences to the organization.
QMS process objectives should have planned
outcomes and should consistently
deliver those outcomes. The "do step" in
PDCA is where the work is accomplished.
At this step, the organization will
implement and perform the processes
while monitoring the output / outcome. During the "check step", we monitor, gather,
verify, validate, and report the
information and data that has been
collected by the organization.
After these measures and metrics have
been captured, the organization will
analyze the information and decide if
additional actions or changes to the
"plan step" is needed. If so, actions are decided and action plans performed in the "act step".
The PDCA cycle may happen numerous times
a day, week or several times per
year to support the process approach.
Risk-based thinking is defined as the
"planned and implemented actions to
address risks and opportunities
pertaining to undesired outputs". There are negative risks, referred to as
and there are also positive risks, known as
opportunities. Opportunities should be
while the remaining 'risk' is mitigated to an
acceptable level depending upon the risk
tolerance of the organization. Risk
treatment is the "proactive management of
risk using countermeasures and controls".
Risk is often expressed as a combination
of likelihood and consequence (impact)
is the probability of an event occurring
or recurring while consequence is the possible
impact of an event characterized as
effect or influence. An effective risk
management strategy involves proactive
and iterative risk identification, risk
ranking, risk treatment, and risk
monitoring. The risk rating
places the identified risks and opportunities in
order based on frequency, likelihood,
severity, impact / benefit on objectives. Monetary
consequences, loss of customers, legal
exposure, impact on interested parties,
and other ranking criteria develop the organizational risk posture
. Risk terms and methodologies are discussed further on my Risk Management Strategy
Risk identification in the ISO 9001:2015
standard begins in clause 4. Identifying internal and external "issues",
understanding the organizational context, purpose, and strategic
direction is the 'starting point'. The organization must proactively monitor and
review information about these external
and internal issues. The vision statement,
mission statement, policies, strategic objectives, legal exposure, technological
challenges, and competition provide insight along with organizational culture, geographical orientation, organizational knowledge, performance, and historical information.
ISO 9001:2015 requires actions to
address the identified risks and opportunities.
management system objectives, processes,
and controls, resources, improvement needs,
organizational changes, product and/or
service requirements, external providers,
the specific business environment including
internal and external effects and
influences are of concern during this process.
Remember, ISO 9001:2015 tells us what to do but it
does not tell us how to do it
. I hope this information has been helpful
in understanding the risk-based thinking requirements of ISO 9001:2015.
Cybersecurity and Quality Management